def setup(self):
self.nssdb = NSSDatabase()
secdir = self.nssdb.secdir
self.reqfile = os.path.join(secdir, "test.csr")
self.certfile = os.path.join(secdir, "cert.crt")
# Create our temporary NSS database
self.nssdb.create_db()
self.subject = DN(('CN', self.host_fqdn), subject_base())
def setup(self):
self.nssdb = NSSDatabase()
secdir = self.nssdb.secdir
self.reqfile = os.path.join(secdir, "test.csr")
self.certfile = os.path.join(secdir, "cert.crt")
# Create our temporary NSS database
self.nssdb.create_db()
self.subject = DN(('CN', self.host_fqdn), subject_base())
def basecert_fsetup(self, request):
self.nssdb = NSSDatabase()
secdir = self.nssdb.secdir
self.reqfile = os.path.join(secdir, "test.csr")
self.certfile = os.path.join(secdir, "cert.crt")
# Create our temporary NSS database
self.nssdb.create_db()
self.subject = DN(('CN', self.host_fqdn), subject_base())
def fin():
self.nssdb.close()
request.addfinalizer(fin)
def test_update_simple(self, host):
host.update(dict(description=u'Updated host 1',
usercertificate=host_cert),
expected_updates=dict(
description=[u'Updated host 1'],
usercertificate=[base64.b64decode(host_cert)],
issuer=fuzzy_issuer,
serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex,
sha1_fingerprint=fuzzy_hash,
sha256_fingerprint=fuzzy_hash,
subject=DN(('CN', api.env.host), subject_base()),
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
))
host.retrieve()
def test_update_simple(self, host):
host.update(dict(
description=u'Updated host 1',
usercertificate=host_cert),
expected_updates=dict(
description=[u'Updated host 1'],
usercertificate=[base64.b64decode(host_cert)],
issuer=fuzzy_issuer,
serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex,
sha1_fingerprint=fuzzy_hash,
sha256_fingerprint=fuzzy_hash,
subject=DN(('CN', api.env.host), subject_base()),
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
))
host.retrieve()
def test_update_simple(self, host):
host.update(dict(description=u'Updated host 1',
usercertificate=host_cert),
expected_updates=dict(
description=[u'Updated host 1'],
usercertificate=[base64.b64decode(host_cert)],
issuer=fuzzy_issuer,
serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex,
sha1_fingerprint=fuzzy_hash,
sha256_fingerprint=fuzzy_hash,
subject=DN(('CN', api.env.host), subject_base()),
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
))
host.retrieve()
# test host-find with --certificate
command = host.make_find_command(fqdn=host.fqdn,
usercertificate=host_cert)
res = command()['result']
assert len(res) == 1
def test_update_simple(self, host):
host.update(dict(
description=u'Updated host 1',
usercertificate=host_cert),
expected_updates=dict(
description=[u'Updated host 1'],
usercertificate=[base64.b64decode(host_cert)],
issuer=fuzzy_issuer,
serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex,
sha1_fingerprint=fuzzy_hash,
sha256_fingerprint=fuzzy_hash,
subject=DN(('CN', api.env.host), subject_base()),
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
))
host.retrieve()
# test host-find with --certificate
command = host.make_find_command(
fqdn=host.fqdn, usercertificate=host_cert)
res = command()['result']
assert len(res) == 1
ipv6_fromip_ptr_dn = DN(('idnsname', ipv6_fromip_ptr), revipv6zone_dn)
sshpubkey = u'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGAX3xAeLeaJggwTqMjxNwa6XHBUAikXPGMzEpVrlLDCZtv00djsFTBi38PkgxBJVkgRWMrcBsr/35lq7P6w8KGIwA8GI48Z0qBS2NBMJ2u9WQ2hjLN6GdMlo77O0uJY3251p12pCVIS/bHRSq8kHO2No8g7KA9fGGcagPfQH+ee3t7HUkpbQkFTmbPPN++r3V8oVUk5LxbryB3UIIVzNmcSIn3JrXynlvui4MixvrtX6zx+O/bBo68o8/eZD26QrahVbA09fivrn/4h3TM019Eu/c2jOdckfU3cHUV/3Tno5d6JicibyaoDDK7S/yjdn5jhaz8MSEayQvFkZkiF0L public key test'
sshpubkeyfp = u'SHA256:cStA9o5TRSARbeketEOooMUMSWRSsArIAXloBZ4vNsE public key test (ssh-rsa)'
user1 = u'tuser1'
user2 = u'tuser2'
group1 = u'group1'
group1_dn = get_group_dn(group1)
group2 = u'group2'
group2_dn = get_group_dn(group2)
hostgroup1 = u'testhostgroup1'
hostgroup1_dn = DN(('cn', hostgroup1), ('cn', 'hostgroups'),
('cn', 'accounts'), api.env.basedn)
host_cert = get_testcert(DN(('CN', api.env.host), subject_base()),
'host/%s@%s' % (api.env.host, api.env.realm))
missingrevzone = u'22.30.16.172.in-addr.arpa.'
ipv4_in_missingrevzone_ip = u'172.16.30.22'
@pytest.fixture(scope='class')
def host(request):
tracker = HostTracker(name=u'testhost1')
return tracker.make_fixture(request)
@pytest.fixture(scope='class')
def host2(request):
tracker = HostTracker(name=u'testhost2')
ipv6_fromip_ptr_dn = DN(('idnsname', ipv6_fromip_ptr), revipv6zone_dn)
sshpubkey = u'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGAX3xAeLeaJggwTqMjxNwa6XHBUAikXPGMzEpVrlLDCZtv00djsFTBi38PkgxBJVkgRWMrcBsr/35lq7P6w8KGIwA8GI48Z0qBS2NBMJ2u9WQ2hjLN6GdMlo77O0uJY3251p12pCVIS/bHRSq8kHO2No8g7KA9fGGcagPfQH+ee3t7HUkpbQkFTmbPPN++r3V8oVUk5LxbryB3UIIVzNmcSIn3JrXynlvui4MixvrtX6zx+O/bBo68o8/eZD26QrahVbA09fivrn/4h3TM019Eu/c2jOdckfU3cHUV/3Tno5d6JicibyaoDDK7S/yjdn5jhaz8MSEayQvFkZkiF0L public key test'
sshpubkeyfp = u'SHA256:cStA9o5TRSARbeketEOooMUMSWRSsArIAXloBZ4vNsE public key test (ssh-rsa)'
user1 = u'tuser1'
user2 = u'tuser2'
group1 = u'group1'
group1_dn = get_group_dn(group1)
group2 = u'group2'
group2_dn = get_group_dn(group2)
hostgroup1 = u'testhostgroup1'
hostgroup1_dn = DN(('cn',hostgroup1),('cn','hostgroups'),('cn','accounts'),
api.env.basedn)
host_cert = get_testcert(DN(('CN', api.env.host), subject_base()),
'host/%s@%s' % (api.env.host, api.env.realm))
missingrevzone = u'22.30.16.172.in-addr.arpa.'
ipv4_in_missingrevzone_ip = u'172.16.30.22'
@pytest.fixture(scope='class')
def host(request):
tracker = HostTracker(name=u'testhost1')
return tracker.make_fixture(request)
@pytest.fixture(scope='class')
def host2(request):
tracker = HostTracker(name=u'testhost2')
class test_service(Declarative):
cleanup_commands = [
('host_del', [fqdn1], {}),
('host_del', [fqdn2], {}),
('host_del', [fqdn3], {}),
('service_del', [service1], {}),
]
tests = [
dict(
desc='Try to retrieve non-existent %r' % service1,
command=('service_show', [service1], {}),
expected=errors.NotFound(reason=u'%s: service not found' %
service1),
),
dict(
desc='Try to update non-existent %r' % service1,
command=('service_mod', [service1],
dict(usercertificate=servercert)),
expected=errors.NotFound(reason=u'%s: service not found' %
service1),
),
dict(
desc='Try to delete non-existent %r' % service1,
command=('service_del', [service1], {}),
expected=errors.NotFound(reason=u'%s: service not found' %
service1),
),
dict(
desc='Create %r' % fqdn1,
command=(
'host_add',
[fqdn1],
dict(
description=u'Test host 1',
l=u'Undisclosed location 1',
force=True,
),
),
expected=dict(
value=fqdn1,
summary=u'Added host "%s"' % fqdn1,
result=dict(
dn=host1dn,
fqdn=[fqdn1],
description=[u'Test host 1'],
l=[u'Undisclosed location 1'],
krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
krbcanonicalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
objectclass=objectclasses.host,
ipauniqueid=[fuzzy_uuid],
managedby_host=[u'%s' % fqdn1],
has_keytab=False,
has_password=False,
),
),
),
dict(
desc='Create %r' % fqdn2,
command=(
'host_add',
[fqdn2],
dict(
description=u'Test host 2',
l=u'Undisclosed location 2',
force=True,
),
),
expected=dict(
value=fqdn2,
summary=u'Added host "%s"' % fqdn2,
result=dict(
dn=host2dn,
fqdn=[fqdn2],
description=[u'Test host 2'],
l=[u'Undisclosed location 2'],
krbprincipalname=[u'host/%s@%s' % (fqdn2, api.env.realm)],
krbcanonicalname=[u'host/%s@%s' % (fqdn2, api.env.realm)],
objectclass=objectclasses.host,
ipauniqueid=[fuzzy_uuid],
managedby_host=[u'%s' % fqdn2],
has_keytab=False,
has_password=False,
),
),
),
dict(
desc='Create %r' % fqdn3,
command=(
'host_add',
[fqdn3],
dict(
description=u'Test host 3',
l=u'Undisclosed location 3',
force=True,
),
),
expected=dict(
value=fqdn3.lower(),
summary=u'Added host "%s"' % fqdn3.lower(),
result=dict(
dn=host3dn,
fqdn=[fqdn3.lower()],
description=[u'Test host 3'],
l=[u'Undisclosed location 3'],
krbprincipalname=[
u'host/%s@%s' % (fqdn3.lower(), api.env.realm)
],
krbcanonicalname=[
u'host/%s@%s' % (fqdn3.lower(), api.env.realm)
],
objectclass=objectclasses.host,
ipauniqueid=[fuzzy_uuid],
managedby_host=[u'%s' % fqdn3.lower()],
has_keytab=False,
has_password=False,
),
),
),
dict(
desc='Create %r' % service1,
command=(
'service_add',
[service1],
dict(force=True, ),
),
expected=dict(
value=service1,
summary=u'Added service "%s"' % service1,
result=dict(
dn=service1dn,
krbprincipalname=[service1],
krbcanonicalname=[service1],
objectclass=objectclasses.service,
ipauniqueid=[fuzzy_uuid],
managedby_host=[fqdn1],
),
),
),
dict(
desc='Try to create duplicate %r' % service1,
command=(
'service_add',
[service1],
dict(force=True, ),
),
expected=errors.DuplicateEntry(
message=u'service with name "%s" already exists' % service1),
),
dict(
desc='Retrieve %r' % service1,
command=('service_show', [service1], {}),
expected=dict(
value=service1,
summary=None,
result=dict(
dn=service1dn,
krbprincipalname=[service1],
krbcanonicalname=[service1],
has_keytab=False,
managedby_host=[fqdn1],
),
),
),
dict(
desc='Retrieve %r with all=True' % service1,
command=('service_show', [service1], dict(all=True)),
expected=dict(
value=service1,
summary=None,
result=dict(
dn=service1dn,
krbprincipalname=[service1],
ipakrbprincipalalias=[service1],
krbcanonicalname=[service1],
objectclass=objectclasses.service,
ipauniqueid=[fuzzy_uuid],
managedby_host=[fqdn1],
has_keytab=False,
ipakrbrequirespreauth=True,
ipakrbokasdelegate=False,
ipakrboktoauthasdelegate=False,
krbpwdpolicyreference=[
DN(
u'cn=Default Service Password Policy',
api.env.container_service,
api.env.basedn,
)
],
),
),
),
dict(
desc='Search for %r with members' % service1,
command=('service_find', [service1], {
'no_members': False
}),
expected=dict(
count=1,
truncated=False,
summary=u'1 service matched',
result=[
dict(
dn=service1dn,
krbprincipalname=[service1],
krbcanonicalname=[service1],
managedby_host=[fqdn1],
has_keytab=False,
),
],
),
),
dict(
desc='Search for %r' % service1,
command=('service_find', [service1], {}),
expected=dict(
count=1,
truncated=False,
summary=u'1 service matched',
result=[
dict(
dn=service1dn,
krbprincipalname=[service1],
krbcanonicalname=[service1],
has_keytab=False,
),
],
),
),
dict(
desc='Search for %r with all=True' % service1,
command=('service_find', [service1], dict(all=True)),
expected=dict(
count=1,
truncated=False,
summary=u'1 service matched',
result=[
dict(
dn=service1dn,
krbprincipalname=[service1],
ipakrbprincipalalias=[service1],
krbcanonicalname=[service1],
objectclass=objectclasses.service,
ipauniqueid=[fuzzy_uuid],
has_keytab=False,
managedby_host=[fqdn1],
ipakrbrequirespreauth=True,
ipakrbokasdelegate=False,
ipakrboktoauthasdelegate=False,
krbpwdpolicyreference=[
DN(
u'cn=Default Service Password Policy',
api.env.container_service,
api.env.basedn,
)
],
),
],
),
),
dict(
desc='Add non-existent host to %r' % service1,
command=('service_add_host', [service1], dict(host=u'notfound')),
expected=dict(
failed=dict(managedby=dict(host=[(u'notfound',
u'no such entry')])),
completed=0,
result=dict(
dn=service1dn,
krbprincipalname=[service1],
krbcanonicalname=[service1],
managedby_host=[fqdn1],
),
),
),
dict(
desc='Remove non-existent host from %r' % service1,
command=('service_remove_host', [service1],
dict(host=u'notfound')),
expected=dict(
failed=dict(managedby=dict(
host=[(u'notfound', u'This entry is not a member')])),
completed=0,
result=dict(
dn=service1dn,
krbprincipalname=[service1],
krbcanonicalname=[service1],
managedby_host=[fqdn1],
),
),
),
dict(
desc='Add host to %r' % service1,
command=('service_add_host', [service1], dict(host=fqdn2)),
expected=dict(
failed=dict(managedby=dict(host=[])),
completed=1,
result=dict(
dn=service1dn,
krbprincipalname=[service1],
krbcanonicalname=[service1],
managedby_host=[fqdn1, fqdn2],
),
),
),
dict(
desc='Remove host from %r' % service1,
command=('service_remove_host', [service1], dict(host=fqdn2)),
expected=dict(
failed=dict(managedby=dict(host=[])),
completed=1,
result=dict(
dn=service1dn,
krbprincipalname=[service1],
krbcanonicalname=[service1],
managedby_host=[fqdn1],
),
),
),
dict(
desc='Add mixed-case host to %r' % service1,
command=('service_add_host', [service1], dict(host=fqdn3)),
expected=dict(
failed=dict(managedby=dict(host=[])),
completed=1,
result=dict(
dn=service1dn,
krbprincipalname=[service1],
krbcanonicalname=[service1],
managedby_host=[fqdn1, fqdn3.lower()],
),
),
),
dict(
desc='Remove mixed-case host from %r' % service1,
command=('service_remove_host', [service1], dict(host=fqdn3)),
expected=dict(
failed=dict(managedby=dict(host=[])),
completed=1,
result=dict(
dn=service1dn,
krbprincipalname=[service1],
krbcanonicalname=[service1],
managedby_host=[fqdn1],
),
),
),
dict(
desc='Update %r with a random issuer certificate' % service1,
command=('service_mod', [service1],
dict(usercertificate=base64.b64decode(randomissuercert))),
expected=dict(
value=service1,
summary=u'Modified service "%s"' % service1,
result=dict(
usercertificate=[base64.b64decode(randomissuercert)],
krbprincipalname=[service1],
krbcanonicalname=[service1],
managedby_host=[fqdn1],
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
subject=randomissuer,
serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex,
sha1_fingerprint=fuzzy_hash,
sha256_fingerprint=fuzzy_hash,
issuer=fuzzy_issuer,
),
),
),
dict(
desc='Update %r' % service1,
command=('service_mod', [service1],
dict(usercertificate=servercert)),
expected=dict(
value=service1,
summary=u'Modified service "%s"' % service1,
result=dict(
usercertificate=[base64.b64decode(servercert)],
krbprincipalname=[service1],
krbcanonicalname=[service1],
managedby_host=[fqdn1],
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
subject=DN(('CN', api.env.host), subject_base()),
serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex,
sha1_fingerprint=fuzzy_hash,
sha256_fingerprint=fuzzy_hash,
issuer=fuzzy_issuer,
),
),
),
dict(desc='Try to update %r with invalid ipakrbauthz data '
'combination' % service1,
command=('service_mod', [service1],
dict(ipakrbauthzdata=[u'MS-PAC', u'NONE'])),
expected=errors.ValidationError(
name='ipakrbauthzdata',
error=u'NONE value cannot be combined with other PAC types')),
dict(
desc='Update %r with valid ipakrbauthz data '
'combination' % service1,
command=('service_mod', [service1],
dict(ipakrbauthzdata=[u'MS-PAC'])),
expected=dict(
value=service1,
summary=u'Modified service "%s"' % service1,
result=dict(
usercertificate=[base64.b64decode(servercert)],
krbprincipalname=[service1],
krbcanonicalname=[service1],
managedby_host=[fqdn1],
ipakrbauthzdata=[u'MS-PAC'],
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
subject=DN(('CN', api.env.host), subject_base()),
serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex,
sha1_fingerprint=fuzzy_hash,
sha256_fingerprint=fuzzy_hash,
issuer=fuzzy_issuer,
),
),
),
dict(
desc='Retrieve %r to verify update' % service1,
command=('service_show', [service1], {}),
expected=dict(
value=service1,
summary=None,
result=dict(
dn=service1dn,
usercertificate=[base64.b64decode(servercert)],
krbprincipalname=[service1],
krbcanonicalname=[service1],
has_keytab=False,
managedby_host=[fqdn1],
ipakrbauthzdata=[u'MS-PAC'],
# These values come from the servercert that is in this
# test case.
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
subject=DN(('CN', api.env.host), subject_base()),
serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex,
sha1_fingerprint=fuzzy_hash,
sha256_fingerprint=fuzzy_hash,
issuer=fuzzy_issuer,
),
),
),
dict(
desc='Enable %r OK_AS_DELEGATE Kerberos ticket flag' % service1,
command=('service_mod', [service1], dict(ipakrbokasdelegate=True)),
expected=dict(
value=service1,
summary=u'Modified service "%s"' % service1,
result=dict(
usercertificate=[base64.b64decode(servercert)],
krbprincipalname=[service1],
krbcanonicalname=[service1],
managedby_host=[fqdn1],
ipakrbauthzdata=[u'MS-PAC'],
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
subject=DN(('CN', api.env.host), subject_base()),
serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex,
sha1_fingerprint=fuzzy_hash,
sha256_fingerprint=fuzzy_hash,
issuer=fuzzy_issuer,
krbticketflags=[u'1048704'],
ipakrbokasdelegate=True,
),
),
),
dict(
desc='Update %r Kerberos ticket flags with setattr' % service1,
command=('service_mod', [service1],
dict(setattr=[u'krbTicketFlags=1048577'])),
expected=dict(
value=service1,
summary=u'Modified service "%s"' % service1,
result=dict(
usercertificate=[base64.b64decode(servercert)],
krbprincipalname=[service1],
krbcanonicalname=[service1],
managedby_host=[fqdn1],
ipakrbauthzdata=[u'MS-PAC'],
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
subject=DN(('CN', api.env.host), subject_base()),
serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex,
sha1_fingerprint=fuzzy_hash,
sha256_fingerprint=fuzzy_hash,
issuer=fuzzy_issuer,
krbticketflags=[u'1048577'],
),
),
),
dict(
desc='Disable %r OK_AS_DELEGATE Kerberos ticket flag' % service1,
command=('service_mod', [service1],
dict(ipakrbokasdelegate=False)),
expected=dict(
value=service1,
summary=u'Modified service "%s"' % service1,
result=dict(
usercertificate=[base64.b64decode(servercert)],
krbprincipalname=[service1],
krbcanonicalname=[service1],
managedby_host=[fqdn1],
ipakrbauthzdata=[u'MS-PAC'],
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
subject=DN(('CN', api.env.host), subject_base()),
serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex,
sha1_fingerprint=fuzzy_hash,
sha256_fingerprint=fuzzy_hash,
issuer=fuzzy_issuer,
krbticketflags=[u'1'],
ipakrbokasdelegate=False,
),
),
),
dict(
desc='Delete %r' % service1,
command=('service_del', [service1], {}),
expected=dict(
value=[service1],
summary=u'Deleted service "%s"' % service1,
result=dict(failed=[]),
),
),
dict(
desc='Try to retrieve non-existent %r' % service1,
command=('service_show', [service1], {}),
expected=errors.NotFound(reason=u'%s: service not found' %
service1),
),
dict(
desc='Try to update non-existent %r' % service1,
command=('service_mod', [service1],
dict(usercertificate=servercert)),
expected=errors.NotFound(reason=u'%s: service not found' %
service1),
),
dict(
desc='Try to delete non-existent %r' % service1,
command=('service_del', [service1], {}),
expected=errors.NotFound(reason=u'%s: service not found' %
service1),
),
dict(desc='Create service with malformed principal "foo"',
command=('service_add', [u'foo'], {}),
expected=errors.ValidationError(
name='canonical_principal',
error='Service principal is required')),
dict(
desc='Create service with bad realm "HTTP/[email protected]"',
command=('service_add', [u'HTTP/[email protected]'], {}),
expected=errors.RealmMismatch(),
),
dict(desc='Create a host service %r' % hostprincipal1,
command=('service_add', [hostprincipal1], {}),
expected=errors.HostService()),
# These tests will only succeed when running against lite-server.py
# on same box as IPA install.
dict(
desc=
'Delete the current host (master?) %s HTTP service, should be caught'
% api.env.host,
command=('service_del', ['HTTP/%s' % api.env.host], {}),
expected=errors.ValidationError(
name='principal',
error='This principal is required by the IPA master'),
),
dict(
desc=
'Delete the current host (master?) %s ldap service, should be caught'
% api.env.host,
command=('service_del', ['ldap/%s' % api.env.host], {}),
expected=errors.ValidationError(
name='principal',
error='This principal is required by the IPA master'),
),
dict(
desc=
'Disable the current host (master?) %s HTTP service, should be caught'
% api.env.host,
command=('service_disable', ['HTTP/%s' % api.env.host], {}),
expected=errors.ValidationError(
name='principal',
error='This principal is required by the IPA master'),
),
dict(
desc=
'Disable the current host (master?) %s ldap service, should be caught'
% api.env.host,
command=('service_disable', ['ldap/%s' % api.env.host], {}),
expected=errors.ValidationError(
name='principal',
error='This principal is required by the IPA master'),
),
]
